Exotic
Exotic is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. The Exotic ransomware appears to be in development mode, with three variants released over the past three days, According to MalwareHunterTeam, the first variant contained an image of Hitler as part of the background to the ransom note, the second included a different picture of Hitler and some text, and the third contains the Jigsaw-like screenlocker Payload When the ransomware starts, it will scan certain folders for files that have specific extensions. When it encounters a targeted file extension, it will encrypt the file using AES-128 encryption, rename the file, and append the .exotic extension to them. For example, a file called test.jpg could be encrypted as the file name 87as.exotic. When Exotic encrypts a computer it is currently only targeting specific folders. These folders are: %UserProfile%\Desktop %UserProfile%\MyMusic %UserProfile%\Personal %UserProfile%\MyVideos %UserProfile%\Contacts\ %UserProfile%\Downloads\ %UserProfile%\MyPictures /vmware-host/ %UserProfile% The file types that Exotic will encrypt are: .txt, .exe, .text, .cur, .contact, .ani, .xls, .com, .url, .ppt, .src, .cmd, .tgz, .fon, .pl, .lib, .load, .CompositeFont, .png, .exe, .mp3, .mkv, .veg, .mp4, .lnk, .zip, .rar, .7z, .jpg, .sln, .crdownload, .msi, .vb, .vbs, .vbt, .config, .settings, .resx, .vbproj, .json, .jpeg, .scss, .css, .html, .hta, .ttc, .ttf, .eot, .camproj, .m4r, .001, .002, .003, .004, .005, .006, .007, .008, .009, .au, .aex, .8be, .8bf, .8bi, .abr, .adf, .apk, .ai, .asd, .bin, .bat, .gif, .3dm, .3g2, .exe, .3gp, .aaf, .accdb, .aep, .aepx, .aet .ai, .aif, .arw, .as, .as3, .asf, .asp, .asx, .avi, .bay, .bmp, .cdr, .cer, .class, .cpp, .contact, .cr2, .crt, .crw, .cs, .csv, .dll, .db, .dbf, .dcr, .der, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxg, .efx, .eps, .erf, .fla, .flv, .iso, .idml, .iff, .ini, .sik, .indb, .indd, .indl, .indt, .ico, .inx, .jar, .jnt, .jnt, .java, .key, .kdc, .m3u, .m3u8, .m4u, .max, .mdb, .mdf, .mef, .mid, .mov, .mpa, .mpeg, .mpg, .mrw, .msg, .nef, .nrw, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdb, .pdf, .pef, .pem, .pfx, .php, .plb, .pmd, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .pst, .ptx, .r3d, .ra, .raf, .raw, .rb, .rtf, .rw2, .rwl, .sdf, .sldm, .sldx, .sql, .sr2, .srf, .srw, .svg, .swf, .tif, .vcf, .vob, .wav, .wb2, .wma, .wmv, .wpd, .wps, .x3f, .xla, .xlam, .xlk, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx The ransomware will then download a background image for the lock screen from http://mitteoderso.de/image.png and save it into the %Temp% folder. The ransomware will then display the lock screen. While the program is running it will look for certain processes and terminate them if found. The processes terminated by Exotic are: taskmgr cmd procexp procexp64 regedit CCleaner64 msconfig Finally, the ransomware will continue to monitor the folders listed above for new unencrypted files and encrypt them. When the timer reaches 0, Exotic will shutdown the computer. The ransomware will also copy itself to the %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe file, but will just become encrypted by the ransomware. Therefore, on reboot the ransomware will no longer be active. Category:Win32 ransomware Category:Ransomware Category:Win32 trojan Category:Win32 Category:Microsoft Windows Category:Trojan